open-webui Stored Cross-Site Scripting Vulnerability in File Upload Functionality

A stored cross-site scripting vulnerability has been identified in open-webui version 0.3.8. This issue arises in the chat file upload feature, where an attacker can inject malicious scripts into a file. When this file is accessed by a victim, either through a shared chat or a direct URL, the injected JavaScript is executed in the victim's browser. This vulnerability could lead to theft of user data, session hijacking, distribution of malware, and phishing attacks.

Impact

Exploitation of this vulnerability allows for stored cross-site scripting, where injected scripts are executed in the context of the user who accesses the file. This could result in theft of sensitive information, such as login credentials and personal data, session hijacking by stealing session cookies, distribution of malware or ransomware, and execution of phishing attacks within the application.

Reproduction

To reproduce this vulnerability, log in to an account and upload a file named 'poc.html' containing a script that fetches the local storage token and sends it to an external URL. After uploading the file, share it with another user or access it through the API. When the file is opened, the script executes, demonstrating the cross-site scripting vulnerability.